Investigation Techniques

Which of the following can be obtained from a wire transfer record?
A. The name of the sender or originator
B. The sending institution’s accreditation type
C. The recipient’s government identification number
D. The name of the receiving institution’s registered agent

Charles, a fraud examiner, accuses George of fraud during an admission-seeking interview. George immediately denies the charge. How should Charles respond to George’s denial?
A. Counter the denial by arguing with George until further denials are futile.
B. Use a delaying tactic to interrupt the denial.
C. Remind George he has to tell the truth or face perjury.
D. Allow George to continue denying the charge.

When reporting the results of a fraud examination, it is best to include copies (not originals) of important documents in the formal report.
A. True
B. False

Which of the following is a best practice for obtaining a signed statement?
A. Make sure that everything is included in the signed statement and that no addendums are made.
B. Have two individuals witness the signing of the document when possible.
C. Include all of the subject’s offenses, whether related or not, in a single document.
D. Have the suspect write out the entire statement in his own handwriting.

Dennis, a fraud investigator, is interviewing Richard, a fraud suspect. During the interview, Dennis suspects that Richard is not answering questions honestly. To gauge Richard’s credibility, which type of question should Dennis ask?
A. Assessment
B. Open
C. Rhetorical
D. Leading

Which of the following statements concerning a well-written fraud examination report is most accurate?
A. The report should convey all information provided by witnesses.
B. The report writer should avoid technical jargon where possible.
C. Only relevant facts that support the fraud allegation should be included in the report.
D. Signed copies of the fraud examiner’s interview notes should be used to report interview details.

Which of the following should be done to prepare an organization for a formal fraud investigation?
A. Inform the subject that he is under investigation.
B. Notify key decision makers that the investigation is about to begin.
C. Notify all managers about the investigation, explaining why it is happening and who is involved.
D. Send an email to all employees explaining the investigation’s purpose.

Why is it necessary to image a seized computer’s hard drive for forensic analysis?
A. To prohibit access to the suspect computer’s hard drive by individuals not professionally trained in forensic analysis
B. To allow for the analysis of data from a suspect computer without altering or damaging the original data in any way
C. To create pictures of the suspect computer system and its wires and cables
D. To enable the retrieval of data from the suspect computer directly via its operating system

Which of the following statements would be IMPROPER if included in the fraud examination report of a CFE who is also qualified as an accounting expert?
A. “The company’s internal controls were wholly inadequate to prevent this type of violation and should be remediated at the earliest possible time.”
B. “Based on statements he made to me, it is my assessment that the suspect has a dishonest disposition.”
C. “From my examination, it appears that the company’s financial statements were not presented in accordance with generally accepted accounting principles.”
D. “The evidence shows that expenses in excess of $5 million were omitted from the company’s financial statements.”

David, an interviewer with little experience, asks Smith, the respondent, the following question: “Were you aware that the signature was forged, and why didn’t you tell anyone earlier?” This kind of question is called a _ question.
A. Double-negative
B. Free narrative
C. Controlled answer
D. Complex

When a Certified Fraud Examiner conducts a fraud examination, he must proceed as though:
A. The suspect is guilty.
B. After the suspect is terminated, the case will end.
C. The case will end in litigation.
D. The matter will be resolved completely internally.

Which of the following statements about data mining is INCORRECT?
A. Data mining is an effective way for fraud examiners to develop fraud targets for further investigation.
B. Data mining is the science of searching large volumes of data for patterns.
C. Data mining can be used to streamline raw data into understandable patterns.
D. Data mining is used to recover deleted data from a computer system.

Assuming that a jurisdiction has prohibited pretexting with financial institutions, which of the following actions would constitute illegal pretexting?
A. Making purchases with a credit card account under a fictitious identity
B. Digging through a person’s trash to obtain his bank account information
C. Withdrawing another person’s funds using a stolen bank account number and PIN
D. Falsely claiming to be the spouse of an account holder to access bank records

Which of the following would be most useful in determining who created a specific document file?
A. Operating system partition
B. The document’s metadata
C. The system log
D. Internet activity data

Looking at a list of expenses, Karen notices that airfare expenses have risen dramatically, but she believes that the staff actually traveled fewer days this year than last year. Which of the following data analysis functions would be the most useful in helping Karen analyze these two variables?
A. Correlation analysis
B. Gap testing
C. Duplicate testing
D. Benford’s Law analysis

Barnes, a CFE, is using data analysis to identify anomalies that might indicate fraud in XYZ Company’s accounts payable transactions. Which of the following is the most effective data analysis function that Barnes could use to look for potential fraud in accounts payable?
A. Compare book and tax depreciation and indicate variances
B. Identify paycheck amounts over a certain limit
C. Review recurring monthly expenses and compare to posted/paid invoices
D. All of the above

Bennett, a fraud examiner, is performing textual analytics on journal entry data. He developed a list of fraud keywords to search for based on the three legs of the Fraud Triangle. Which of the following fraud keywords found in the journal entry text is the best indicator of pressure to commit fraud?
A. Override
B. Deserve
C. Temporary
D. Quota

Andrew wants to use a confidential informant in his investigation. He plans to compensate the informant with cash and obtain a receipt. He also plans to identify his source in a memo and his final report using only the informant’s initials. Which of Andrew’s plans is NOT considered a best practice when using an informant?
A. Creating a receipt regarding the cash payment
B. Compensating the informant with cash
C. Using information from the informant in his final report
D. Referring to the informant in the memo using the informant’s initials

When planning for the interview phase of an investigation, which of the following steps should NOT be taken by the fraud examiner?
A. Ensure that the interview is held in a venue where the subject will feel comfortable.
B. Consider what the interview is intended to accomplish and state an objective.
C. Prepare a detailed list of questions to ask the subject during the interview.
D. Review the case file to ensure he has not overlooked important information.

Which of the following is TRUE of a follow-up/recommendations section in a written fraud examination report?
A. A follow-up/recommendations section must include a list of organizational failings that contributed to the fraud
B. A follow-up/recommendations section is not a required part of every written fraud examination report
C. A follow-up/recommendations section calculates the amount of loss caused by any misconduct identified during the investigation
D. All of the above

Which of the following is NOT one of the purposes of closing questions in a routine interview?
A. To reduce testimony to a signed, written statement
B. To gather additional facts
C. To reconfirm facts
D. To close the interview positively and maintain goodwill

Which of the following is NOT a common use of public sources of information?
A. Locating people and their assets
B. Corroborating or refuting witness statements
C. Obtaining background information on individuals
D. Searching an individual’s income tax filings

It is recommended that information in a fraud examination report be presented alphabetically with respect to parties and document titles.
A. True
B. False

Why do fraud examiners perform analysis on unstructured, or textual, data?
A. To determine whether the footnotes to the financial statements are fairly presented
B. To categorize data to reveal patterns, sentiments, and relationships indicative of fraud
C. To figure out whether someone is lying or telling the truth based on context clues
D. To find an admission of fraud in an email or other communication that can be presented in court

During an interview, Sam tells the fraud examiner he saw the subject in the supply room three times. As he continues, he begins to become confused as to whether he saw the subject on a fourth occasion and on what dates he saw the subject. Which of the following describes the communication inhibitor in this situation?
A. Altruistic appeal
B. Chronological confusion
C. Inferential confusion
D. Unconscious behavior

Arnold, a Certified Fraud Examiner for Integra Wealth, learns that Keene, an accounts payable clerk, recently purchased an expensive ski boat. Arnold also knows that Keene recently purchased a vacation home on a nearby lake. Arnold has sufficient predication to:
A. Conduct discreet inquiries into Keene’s responsibilities as an accounts payable clerk.
B. Notify management of the possibility that Keene has committed fraudulent acts.
C. Search Keene’s mobile phone for evidence of misconduct.
D. Directly accuse Keene of having committed fraud.

Thompson, a CFE, was hired to trace Keeler’s assets. To trace the assets, Thompson uses Keeler’s books and records to analyze the relationship between his receipt and subsequent disposition of funds or assets. Which tracing method did Thompson use?
A. The asset method
B. The direct method
C. The comparative assets method
D. The indirect method

Jackson, a Certified Fraud Examiner, is beginning his interview of Randall. He thinks that Randall might have information about a coworker’s involvement in a fraudulent disbursement scheme. Before Jackson begins asking serious questions, what should he get from Randall?
A. A commitment for assistance
B. A signed indemnity form
C. A list of references
D. A list of his previous employers
Which of the following is the MOST ACCURATE statement concerning the volatility of digital evidence?
A. If the integrity of digital evidence is violated, it often can be restored through a digital cleansing process.
B. Digital evidence is more volatile than tangible evidence because the rules of admissibility for digital evidence are stricter than such rules for tangible evidence.
C. The failure to preserve the integrity of digital evidence could result in evidence being deemed inadmissible in a legal proceeding.
D. Digital evidence is more volatile than tangible evidence because digital evidence is subject to claims of spoliation, whereas tangible evidence is not.

Which of the following is INCORRECT with regard to locating individuals using online records?
A. Obtaining a past address of the subject should be the first step in trying to locate a subject using online records.
B. Before engaging in a search, the fraud examiner should know the most powerful and useful types of searches.
C. Online records are very useful in locating subjects whose whereabouts are unknown.
D. If an individual has moved, obtaining a past address is usually of no help.

Which of the following data analysis functions is used to determine whether company policies are met by employee transactions, such as verifying that traveling employees book their accommodations at approved hotels?
A. The compliance verification function
B. The join function
C. The gap testing function
D. The correlation analysis function

Which of the following statements about how fraud examiners should approach fraud examinations is FALSE?
A. When conducting fraud examinations, fraud examiners should adhere to the fraud theory approach.
B. When conducting fraud examinations, fraud examiners should start with specific details and move toward more general information.
C. When conducting fraud examinations, fraud examiners should begin with general information that is known and then move to the more specific details.
D. In most examinations, fraud examiners should start interviewing the least involved candidates and proceed toward those who are potentially more involved.

Which of the following is NOT one of the main limitations of conducting a search for public records using online databases?
A. Fraud examiners often must search for public records in multiple jurisdictions.
B. Online records companies are difficult to find.
C. Fraud examiners must validate the accuracy of the records obtained online.
D. The online record might only be a brief abstract of the original.

Boyd, a CFE, was hired to trace Lott’s financial transactions. During his investigation, Boyd obtains records of electronic payments Lott made during the past five years. Which of the following are these records most likely to reveal?
A. The division and distribution of Lott’s assets
B. The assets that Lott has purchased
C. If Lott is skimming his employer’s funds
D. The funds Lott has tied up in real property

Which of the following is a common characteristic that asset hiders look for in the financial vehicles they use to conceal their assets?
A. Traceability
B. Liquidity
C. Inaccessibility
D. Transparency

Misty, a fraud investigator, is interviewing Larry, who she suspects has been embezzling company funds. Which of the following is NOT a recommended sequence in which Misty should ask Larry questions?
A. Start with general questions and move toward specific questions.
B. Ask questions seeking general information before seeking details.
C. Start with questions about known information and work toward unknown information.
D. Ask questions in random order to prevent Larry from knowing what question comes next.

Christopher, a fraud examiner, is conducting an admission-seeking interview with Jennifer, an employee suspected of stealing cash. Which of the following is the LEAST effective phrasing for Christopher to use when posing an admission-seeking question to Jennifer?
A. “Why did you take the money?”
B. “What did you do with the money?”
C. “Did you steal the money?”
D. “How much of the money do you have left?”

Which of the following situations would probably NOT require access to nonpublic records to develop evidence?
A. Analyzing an individual’s personal mobile phone records
B. Accessing banking records to trace assets
C. Obtaining personal health care records
D. Reviewing a company’s business filings

Alana is the former girlfriend of Oscar, a fraud suspect. She approaches Bianca, a fraud examiner at Oscar’s company, and offers to provide critical information about Oscar’s fraud. However, she requests full confidentiality in return for her assistance. Which of the following is the most appropriate response for Bianca to make?
A. Explain that Alana may have qualified confidentiality, but that no absolute assurances can be given.
B. Promise Alana that her identity will not become known.
C. Promise Alana unqualified confidentiality over all information provided.
D. Explain that nothing may be confidential because all information must be disclosed to the company.

Gilbert is preparing to conduct a covert investigation. Before acting, he wants to write a memo documenting his plan. Which of the following pieces of information should he include in this memo?
A. His first impression regarding the subject’s culpability
B. The identities of any confidential sources to be used in the operation
C. The information expected to be gained from the operation
D. All of the above

Which of the following general statements about a fraud investigation plan is CORRECT?
A. An investigation plan should identify the scope of the investigation.
B. An investigation plan should establish which individuals violated the law.
C. An investigation plan should promise a particular investigation outcome.
D. An investigation plan should notify all employees about the investigation.

Which of the following sources of information is usually considered to be the MOST important in tracing a subject’s assets?
A. Credit card statements
B. Surveillance footage
C. Paystubs
D. Financial institution records

Baker, a Certified Fraud Examiner, is assigned to the internal audit department of the ABC Company. He is getting ready to conduct an interview with another company employee who might be involved in a fraud. In general, what title should Baker use in his introduction to the employee?
A. Baker should omit a title altogether
B. Certified Fraud Examiner
C. Investigator
D. Auditor

Elizabeth, a Certified Fraud Examiner, is conducting an admission-seeking interview with Shannon, a fraud suspect. Shannon is seated approximately five feet away from Elizabeth in an empty room. The room has one window, no wall hangings, and the door is closed. According to admission-seeking interview best practices, what change should Elizabeth make to the interview environment to increase the chances of the interview’s success?
A. Place a table between her and Shannon to create a psychological barrier
B. Move the interview to a room without a window to prevent outside distractions
C. Open the door so that Shannon feels free to leave at any time
D. All of the above

Which of the following is the most accurate statement about seizing a computer for examination?
A. When seizing a computer for examination, the party seizing the computer should not waste time looking around the area for passwords because password-protected data is private and therefore legally protected.
B. Before removing a computer system from a scene for further analysis, it is important to document the system’s setup with photographs or diagrams.
C. When taking a computer for examination, if the computer is off, it should be turned on before it is removed.
D. When seizing a computer that is running, it is acceptable to review the files contained on the machine prior to seizing it.

Baker, a Certified Fraud Examiner, contacts Delta for the purpose of conducting a routine, information-gathering interview. Delta expresses a desire that his coworker, Matthew, whom Baker also plans to interview, be interviewed at the same time. Baker should:
A. Interview Delta and Matthew at the same time by himself.
B. Interview Delta and Matthew at the same time, but bring in a second interviewer.
C. Interview Delta and Matthew separately.
D. Allow Matthew to be present as a silent observer.

Which of the following is a common method that fraudsters use to hide their ill-gotten gains?
A. Placing assets in probate
B. Creating a will to allocate assets at death
C. Purchasing a used vehicle
D. Transferring assets into foreign trusts

Susan, a Certified Fraud Examiner, is conducting an admission-seeking interview of Beth, a fraud suspect. After Susan gave Beth a suitable rationalization for her conduct, Beth continued her denials, giving various alibis. Which of the following would be the LEAST effective technique for Susan to use in this situation?
A. Displaying all the evidence she has against Beth at once
B. Convincing Beth of the strength of the evidence against her
C. Discussing Beth’s prior deceptions
D. Discussing the testimony of other witnesses

When evidence of fraud arises, management should respond, in part, by:
A. Documenting the initial response
B. Informing those suspected of misconduct
C. Disciplining the suspected employee
D. Removing any litigation holds

Which of the following is an example of a closed question?
A. “When were you promoted to manager of the department?”
B. “Why did you come to work early that day?”
C. “What do you like about your current position?”
D. “What are your thoughts about the commission program?”

Which of the following is a reason why a subject’s credit card records are useful in tracing investigations?
A. Credit card records contain information about the division and distribution of the subject’s assets.
B. Credit card records provide insight into the subject’s litigation history.
C. Credit card records show the movements and habits of the subject.
D. Credit card statements show the source of the funds used to pay a credit card bill.

Which of the following is considered good practice when selecting the participants on a team assembled to investigate fraud?
A. Select team members with a close professional relationship with the subject
B. Select team members who are the most qualified, regardless of their personalities
C. Select team members who possess untraditional knowledge that can contribute to the investigation
D. All of the above

Which of the following is the most appropriate measure when seeking to avoid alerting suspected perpetrators who are under investigation?
A. Delay taking any action.
B. Disclose the investigation to all employees.
C. Terminate the suspected employee.
D. Investigate during nonbusiness hours.

Maria, a fraud suspect, arrives at an interview with David, a fraud examiner, smelling of marijuana smoke. Maria’s apparent drug use will likely cause her behavioral clues to be:
A. More difficult to read
B. More honest
C. Unaffected
D. Easier to read

Tom is conducting a fraud examination for a company and suspects one of the company’s vendors (a one-person operation) of fraudulent billing. Tom wants to obtain a copy of the suspect individual’s credit report and personal data from a third-party information broker. If Tom works in a jurisdiction that regulates the distribution of personal credit information, he cannot obtain the suspect’s personal credit data under any circumstances.
A. True
B. False

A fraud examiner contacts a witness regarding an interview. If the respondent says, “I’m too busy,” how should the fraud examiner react?
A. Point out that the interviewer is already there.
B. Caution him that avoidance of the interview will be considered suspicious.
C. Explain that the respondent will be subject to discipline if he does not participate.
D. Offer to come back at a later time.

Which of the following is NOT a step a fraud examiner must take before seizing evidence in a digital forensic investigation?
A. Obtain and become familiar with any applicable legal orders.
B. Ensure that all forensic equipment is being used properly.
C. Verify that all forensic equipment is new and has never been used before.
D. Determine whether there are privacy issues related to the item(s) to be searched.

Which of the following statements concerning real property records is MOST ACCURATE?
A. A property’s historical price is generally only available to the tax authority and the property owner.
B. Real property records often contain the identity of the party that financed the purchase of the property, if applicable.
C. Real property records usually contain a property owner’s credit report.
D. In most jurisdictions, there are no publicly available real property records.

Which of the following is NOT a purpose of an admission-seeking interview?
A. To encourage a culpable person to confess
B. To obtain a valid confession
C. To establish that the accused mistakenly committed the act
D. To obtain a written statement acknowledging the facts

Sarah is conducting an admission-seeking interview of a suspect. Throughout the interview, the suspect makes little eye contact with Sarah. Based on this information alone, can Sarah conclude that the suspect is being deceptive?
A. No, because avoiding eye contact is not directly linked to deception.
B. No, because this is not enough information to conclude that the suspect is being deceptive.
C. Yes, because avoiding eye contact is a sign of deception in all cultures.
D. Yes, because it is safe to assume that suspects who avoid eye contact are most likely being deceptive.

Naveed, a fraud suspect, has decided to confess to Omar, a Certified Fraud Examiner. In obtaining a verbal confession from Naveed, Omar should obtain all of the following items of information EXCEPT:
A. A general estimate of the amount of money involved
B. A statement from Naveed that his conduct was an accident
C. The approximate number of instances
D. The location of any residual assets
Which of the following is a unique challenge of cloud forensics not faced in traditional forensic practices?
A. Lack of prosecutorial interest
B. Lack of trust from cloud providers
C. Lack of information accessibility
D. Lack of adequate data

Fraud examination reports should be written with which of the following audiences in mind?
A. Investors and owners
B. The media
C. Opposing legal counsel
D. All of the above

If you are seizing a computer for forensic analysis, why is it generally necessary to seize any copiers connected to it?
A. Most copiers today are nonimpact copiers, meaning they store copied images indefinitely.
B. Many copiers have internal hard drives that might contain information relevant to a fraud examination.
C. Most copiers store, process, and transmit data in a cloud environment.
D. Many copiers connect via parallel cables, which store and transmit copy job data.

A law enforcement officer receives a reliable tip from an informant that a government employee is soliciting bribes in exchange for awarding contracts to the employee’s agency. To investigate, the officer poses as a potential contractor and contacts the suspect employee about the possibility of getting a contract with the agency. In the course of the conversation, the suspect demands a cash payment for the officer to be considered for upcoming contracts. If the suspect claims entrapment at trial, then which of the following is most likely to occur?
A. The suspect’s claim will succeed because the investigator used deceit.
B. The suspect’s claim will fail because the investigator had adequate predication.
C. The suspect’s claim will fail because the investigator is a law enforcement agent.
D. The suspect’s claim will succeed because the investigator lacked probable cause.

Which of the following is a red flag indicating that a subject is seeking to conceal ill-gotten assets through a loan repayment?
A. The subject refinances his loan at a lower interest rate.
B. The subject makes a large paydown on his loan.
C. The subject uses an online banking service to make a loan payment.
D. The subject shows concern for making his loan repayments on time.

If your suspect is spending suspected illicit funds on consumables (e.g., travel and entertainment) and you need to prove his illicit income circumstantially, which of the following methods of tracing assets would yield the best result?
A. The expenditures method
B. The asset method
C. The application of funds method
D. The income method

Scarlett, a Certified Fraud Examiner, is conducting an admission-seeking interview of Plum, a fraud suspect. After Scarlett diffused Plum’s alibis, Plum became withdrawn and slowly began to slouch in his chair, bowing his head. What should Scarlett do now?
A. Insist that Plum sit up straight.
B. Present an alternative question.
C. Say nothing else until Plum confesses.
D. Discourage Plum from showing emotion.

During an interview of a fraud suspect, the interviewer states: “I can see why you altered the financial statements; you were trying to prevent the massive employee layoffs that would have followed the company’s financial collapse.” Which of the following best describes the facilitator that the interviewer is using?
A. Extrinsic rewards
B. Catharsis
C. Altruism
D. Recognition

Which of the following is a reason why a person or organization might engage a fraud examiner to trace illicit transactions?
A. An organization wants to find hidden relationships between trading instruments.
B. An employer wants to know if an employee is falsifying regulatory reports.
C. A judgment creditor needs to identify the judgment debtor’s assets.
D. An attorney wants to evaluate an expert’s financial report.

Which of the following is an example of a leading question?
A. “Do you usually go out for lunch or do you prefer to eat at the office?”
B. “When did you first notice the manipulation of the receivables?”
C. “Weren’t you in charge of ensuring that new vendors are properly vetted?”
D. “Was anyone else involved in the project?”

Which of the following types of information would LEAST likely be found when searching external sources without the subject’s consent or a legal order?
A. Background information on a subject
B. Private business tax records
C. Ownership of a vendor or competitor
D. Location of a subject’s assets

During an interview, Alex asked a fraud suspect if he could retrieve the suspect’s account records from his bank. The suspect said yes but did not provide consent in writing. Although the suspect orally consented, the suspect’s bank is not required to allow Alex to access the suspect’s account records at this point.
A. True
B. False

Amanda needs to know the location of the principal office and the date of incorporation of a company she is investigating. Which of the following sources would most likely contain these items of information?
A. The comprehensive litigation file in the local court in the jurisdiction in which the company is headquartered
B. The contractual records of any real property owned by the corporation
C. The company’s income tax filings
D. The organizational filing with the government of the jurisdiction in which the company is incorporated

An investigator is preparing to administer what is likely to be an intense and extended interview with a fraud suspect. To organize his thoughts prior to the interview, the fraud examiner should:
A. Make a list of key points to go over with the respondent.
B. Memorize a detailed list of questions, but avoid bringing a written list to the interview.
C. Develop a list of questions ranked in order of importance.
D. Provide the suspect with a list of questions to ensure detailed responses.

Marilyn, a Certified Fraud Examiner, is reasonably sure that Shelly, her primary suspect, committed the fraud in question. Before scheduling an admission-seeking interview with Shelly, Marilyn should be reasonably sure of all of the following EXCEPT:
A. That the interview’s subject matter can be controlled
B. That no other person was involved in the fraud in question
C. That the interview’s time and location can be controlled
D. That all reasonable investigative steps have been taken

Which of the following is the MOST ACCURATE statement regarding the analysis phase in digital forensic investigations?
A. When analyzing data for evidence, fraud examiners should look for inculpatory evidence but not exculpatory evidence.
B. During the analysis phase, it is best to use a combination of the various forensic tools that can assist in identifying, extracting, and collecting digital evidence.
C. The analysis phase of forensic investigations should not commence unless it is verified that the suspect devices do not contain relevant data.
D. The primary concern when analyzing digital evidence is to protect the collected information from seizure.

Which of the following statements about the process of obtaining a verbal confession is NOT true?
A. The transition from the accusation to the confession should occur when the accused supplies the first detailed information about the offense.
B. The three general approaches to obtaining a verbal confession are chronologically, by transaction, or by event.
C. Fraudsters tend to overestimate the amount of funds involved in the offense to relieve themselves of the guilt of their dishonest actions.
D. If the subject lies about an aspect of the offense in the process of confessing, it is best to proceed initially as if the falsehood has been accepted as truth.

Sample Solution